Embedding Security Behaviour Change

How will you embed the desired security behaviours and culture in your organisation?

Security behaviour change requires a clear vision as well as a coordinated strategy to ensure that interventions are consistent, practical and meaningful.

Before embarking on a change programme, however big or small, it is critical that an organisation is clear on the following:

  • The objectives of the change (i.e. the vision or strategy)
  • The size and scale of the change (i.e. the gap between where the organisation is now and where it wants to be)
  • The actions to implement the change (i.e. the interventions)
  • The organisation is ready for the change (i.e. it has the necessary time, resources and buy-in)
  • How to communicate the change to the target audience and other key stakeholders (i.e. the communications strategy)
  • How to review and evaluate the impact of the change (i.e. the measures of success and key performance indicators)

There is no one right way to deliver change. A bespoke approach, suited to the particular needs and requirements of your organisation will ultimately work best.  

CPNI has developed the 5 E’s approach to organisational behaviour change. This provides some overarching principles that organisations are advised to follow when developing a security change programme, drawing on latest behaviour change theory.

Listed below are CPNI's off-the-shelf security behaviour change campaigns and guidance documents that you are welcome to use for free.